nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-01-21 07:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

searx: Ensure that socket is only reachable by Apache and root

Browse Source 
When the security access restrictions are removed from /etc/security/access.d,
we don't want users to bypass Apache access control and directly access the app.

Tests:

- Without the patch, the uwsgi socket file is with permissions 666 in
/run/uwsgi/apps/searx/socket. nc -U <socket> succeeds as non-admin user on the
system.

- Apply the patch and restart FreedomBox. searx set is run and uwsgi service is
restarted and permissions are 660 on /run/uwsgi/apps/searx/socket. nc -U
<socket> fails as non-admin user on the system.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This commit is contained in:
Sunil Mohan Adapa 2022-11-08 14:52:02 -08:00 committed by James Valleroy
parent 39aac9228b
commit a8400d07a6
No known key found for this signature in database
GPG Key ID: 77C0C75E7B650808
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plinth/modules/searx/__init__.py
View File

@ -28,7 +28,7 @@ class SearxApp(app_module.App):
app_id = 'searx'
_version = 4
_version = 5
def __init__(self):
"""Create components for the app."""

2
plinth/modules/searx/privileged.py
View File

@ -44,6 +44,8 @@ def _update_uwsgi_configuration():
aug.load()
aug.set('/files/etc/uwsgi/apps-available/searx.ini/uwsgi/autoload',
'false')
aug.set('/files/etc/uwsgi/apps-available/searx.ini/uwsgi/chmod-socket',
'660')
aug.save()